From owner-freebsd-pf@FreeBSD.ORG Mon May 25 09:30:30 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7679610656AB for ; Mon, 25 May 2009 09:30:30 +0000 (UTC) (envelope-from jmclaughlin@tssg.org) Received: from smtps.tssg.org (smtps.tssg.org [193.1.185.47]) by mx1.freebsd.org (Postfix) with ESMTP id 17D048FC1C for ; Mon, 25 May 2009 09:30:29 +0000 (UTC) (envelope-from jmclaughlin@tssg.org) X-IronPort-AV: E=Sophos;i="4.41,243,1241391600"; d="scan'208";a="344064" Received: from unknown (HELO [10.37.2.28]) ([10.37.2.28]) by smtps.tssg.org with ESMTP/TLS/DHE-RSA-AES256-SHA; 25 May 2009 10:18:04 +0100 Message-ID: <4A1A61D0.9010108@tssg.org> Date: Mon, 25 May 2009 10:16:00 +0100 From: John McLaughlin User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Address family problems with ECN + ALTQ on IPv6 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 May 2009 09:30:31 -0000 Hi, I'm trying to set up a testbed to play around with some ideas regarding ECN. The hardware scenario involves having a Linux box (has to be Linux) either side of a FreeBSD router. All addressing is IPv6 (also a requirement) I've configured Pf really in a really simple fashion thus: ext_if="xl0" altq on $ext_if cbq bandwidth 1Mb tbrsize 4000 qlimit 5 queue { def } queue def bandwidth 100% cbq(default red ecn) and this works insofar as the bandwidth is limited as specified. I use Netperf to generate traffic between the 2 endpoints through the router, but no packet ever gets marked with CE - only dropped. Traffic is always a TCP stream I investigated further be embedding debug statements into altq_ecn.c, and have discovered that the mark_ecn() function is failing at the line: if (af != AF_INET && af != AF_INET6) return (0); Checking the value of af, it is *always* returned as 0 - I would expect 28 from looking at socket.h. ECN usage between the two endpoints is negotiated successfully - using Wireshark I can see this in the SYN/SYN ACK packet. Furthermore the outgoing data packets are marked with the ECT(0) (10) codepoint, but the router never signals congestion with the CE (11) codepoint as it always fails the address family check Am I missing some sysctl configuration somewhere or possibly a kernel option, or is this a bug? The following are my kernel options: # ALTQ support device pf device pflog device pfsync options ALTQ options ALTQ_CBQ # Class Bases Queuing (CBQ) options ALTQ_RED # Random Early Detection (RED) options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) options ALTQ_PRIQ # Priority Queuing (PRIQ) options ALTQ_NOPCC # Required for SMP build Any help will be much appreciated! Regards, John McLaughlin From owner-freebsd-pf@FreeBSD.ORG Mon May 25 11:06:58 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A4F5F1065672 for ; Mon, 25 May 2009 11:06:58 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 76E4F8FC15 for ; Mon, 25 May 2009 11:06:58 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n4PB6wQA092908 for ; Mon, 25 May 2009 11:06:58 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n4PB6vA6092904 for freebsd-pf@FreeBSD.org; Mon, 25 May 2009 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 25 May 2009 11:06:57 GMT Message-Id: <200905251106.n4PB6vA6092904@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 May 2009 11:06:59 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 31 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue May 26 11:00:10 2009 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3A41C1065673 for ; Tue, 26 May 2009 11:00:10 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 28D288FC12 for ; Tue, 26 May 2009 11:00:10 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n4QB097W077332 for ; Tue, 26 May 2009 11:00:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n4QB09AE077331; Tue, 26 May 2009 11:00:09 GMT (envelope-from gnats) Date: Tue, 26 May 2009 11:00:09 GMT Message-Id: <200905261100.n4QB09AE077331@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Karsten Schmidt Cc: Subject: Re: kern/132176: [pf] pf stalls connection when using route-to [regression] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Karsten Schmidt List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 May 2009 11:00:10 -0000 The following reply was made to PR kern/132176; it has been noted by GNATS. From: Karsten Schmidt To: bug-followup@FreeBSD.org, link@ngc.net.ua Cc: Subject: Re: kern/132176: [pf] pf stalls connection when using route-to [regression] Date: Tue, 26 May 2009 12:40:52 +0200 I have the same error on a 7.2 box with a bce device and vlans #pf.conf # send all packets from x.x.x.128/26 to nonlocal addresses through x.x.x.129 pass out quick route-to ( bce0.11 x.x.x.129 ) from x.x.x.128/26 to !x.x.x.128/26 no state #default gateway 91.208.16.1 #ifconfig bce0: flags=8843 metric 0 mtu 1500 options=1bb ether 00:1f:29:06:85:28 inet x.x.x.125 netmask 0xffffff80 broadcast x.x.x.127 media: Ethernet autoselect (1000baseTX ) status: active bce0.11: flags=8843 metric 0 mtu 1500 options=3 ether 00:1f:29:06:85:28 inet x.x.x.140 netmask 0xffffffc0 broadcast x.x.x.191 media: Ethernet autoselect (1000baseTX ) status: active vlan: 11 parent interface: bce0 -- Karsten From owner-freebsd-pf@FreeBSD.ORG Tue May 26 13:47:32 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A3AD51065687 for ; Tue, 26 May 2009 13:47:32 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-gx0-f166.google.com (mail-gx0-f166.google.com [209.85.217.166]) by mx1.freebsd.org (Postfix) with ESMTP id 551598FC1D for ; Tue, 26 May 2009 13:47:32 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by gxk10 with SMTP id 10so66477gxk.19 for ; Tue, 26 May 2009 06:47:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:from:date:x-google-sender-auth:message-id:subject:to:cc :content-type:content-transfer-encoding; bh=nuhG0CpaRerOfwpfa+ecVt75ioGG2xGQPSv75ar6ZmM=; b=j+EDyo/ZEAKB3+oZsH24vIkjCXh74MEw6shvJVINEYhLpH1NpbW2pJ2JGkZXoIXrIC s144hOSecObIp6LqKKv1kA8o+njVJWhMv/ZSqxlF5IaCLu6x9W4xyJNOYdZrmILhyX5B ush5j/NCViCm8v+5mEEq6jMGKvmgqVm0vPhdA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; b=om77tYJB72k6IjM0zhLXXI4BmoKGnrnh0Qqjnw5EAtIGR7UgYBSF+CkD5KW3vO4q6C AwtGo4S1+rogrAZNspljwzimAEIfNnjOBz0GCmmbCIDgKlEigiB8Kjk3Ju6vounmZrVi d+kNwophqaHOFiOQSpWFQNSNuDQP8x7LNgMnU= MIME-Version: 1.0 Sender: ermal.luci@gmail.com Received: by 10.150.158.16 with SMTP id g16mr16823353ybe.97.1243344365148; Tue, 26 May 2009 06:26:05 -0700 (PDT) In-Reply-To: <200905261100.n4QB09AE077331@freefall.freebsd.org> References: <200905261100.n4QB09AE077331@freefall.freebsd.org> From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Date: Tue, 26 May 2009 15:25:45 +0200 X-Google-Sender-Auth: 7068a7bbe41bfcf3 Message-ID: <9a542da30905260625p4dda01a6l1e6ebbc7d3130266@mail.gmail.com> To: Karsten Schmidt Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: kern/132176: [pf] pf stalls connection when using route-to [regression] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 May 2009 13:47:33 -0000 On Tue, May 26, 2009 at 1:00 PM, Karsten Schmidt wrote= : > The following reply was made to PR kern/132176; it has been noted by GNAT= S. > > From: Karsten Schmidt > To: bug-followup@FreeBSD.org, link@ngc.net.ua > Cc: > Subject: Re: kern/132176: [pf] pf stalls connection when using route-to [= regression] > Date: Tue, 26 May 2009 12:40:52 +0200 > > =A0I have the same error on a 7.2 box with a bce device and vlans > > =A0#pf.conf > =A0# send all packets from x.x.x.128/26 to nonlocal addresses through x.x= .x.129 > =A0pass out quick route-to ( bce0.11 x.x.x.129 ) from x.x.x.128/26 to > =A0!x.x.x.128/26 no state > > =A0#default gateway > =A091.208.16.1 > > =A0#ifconfig > =A0bce0: flags=3D8843 metric 0 mt= u 1500 > > =A0options=3D1bb > =A0 =A0 =A0 =A0 ether 00:1f:29:06:85:28 > =A0 =A0 =A0 =A0 inet x.x.x.125 netmask 0xffffff80 broadcast x.x.x.127 > =A0 =A0 =A0 =A0 media: Ethernet autoselect (1000baseTX ) > =A0 =A0 =A0 =A0 status: active > =A0bce0.11: flags=3D8843 metric 0= mtu > =A01500 > =A0 =A0 =A0 =A0 options=3D3 > =A0 =A0 =A0 =A0 ether 00:1f:29:06:85:28 > =A0 =A0 =A0 =A0 inet x.x.x.140 netmask 0xffffffc0 broadcast x.x.x.191 > =A0 =A0 =A0 =A0 media: Ethernet autoselect (1000baseTX ) > =A0 =A0 =A0 =A0 status: active > =A0 =A0 =A0 =A0 vlan: 11 parent interface: bce0 > > =A0-- Can you show your complete ruleset? --=20 Ermal From owner-freebsd-pf@FreeBSD.ORG Wed May 27 19:07:44 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A72C71065679 for ; Wed, 27 May 2009 19:07:44 +0000 (UTC) (envelope-from gugge@guggemand.dk) Received: from mx01.dlx.dk (mx01.dlx.dk [193.189.92.137]) by mx1.freebsd.org (Postfix) with ESMTP id 69A938FC0A for ; Wed, 27 May 2009 19:07:44 +0000 (UTC) (envelope-from gugge@guggemand.dk) Received: from [92.246.14.202] (unknown [92.246.14.202]) by mx01.dlx.dk (Postfix) with ESMTP id 94B7C21A5FAD; Wed, 27 May 2009 20:51:36 +0200 (CEST) Message-ID: <4A1D8BA6.1000909@guggemand.dk> Date: Wed, 27 May 2009 20:51:18 +0200 From: Karsten Schmidt User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= References: <200905261100.n4QB09AE077331@freefall.freebsd.org> <9a542da30905260625p4dda01a6l1e6ebbc7d3130266@mail.gmail.com> In-Reply-To: <9a542da30905260625p4dda01a6l1e6ebbc7d3130266@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV 0.91.2/9397/Wed May 27 16:48:50 2009 on mx01.dlx.dk X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: kern/132176: [pf] pf stalls connection when using route-to [regression] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 May 2009 19:07:48 -0000 Ermal Luçi skrev: > On Tue, May 26, 2009 at 1:00 PM, Karsten Schmidt wrote: > >> The following reply was made to PR kern/132176; it has been noted by GNATS. >> >> From: Karsten Schmidt >> To: bug-followup@FreeBSD.org, link@ngc.net.ua >> Cc: >> Subject: Re: kern/132176: [pf] pf stalls connection when using route-to [regression] >> Date: Tue, 26 May 2009 12:40:52 +0200 >> >> I have the same error on a 7.2 box with a bce device and vlans >> >> #pf.conf >> # send all packets from x.x.x.128/26 to nonlocal addresses through x.x.x.129 >> pass out quick route-to ( bce0.11 x.x.x.129 ) from x.x.x.128/26 to >> !x.x.x.128/26 no state >> >> #default gateway >> 91.208.16.1 >> >> #ifconfig >> bce0: flags=8843 metric 0 mtu 1500 >> >> options=1bb >> ether 00:1f:29:06:85:28 >> inet x.x.x.125 netmask 0xffffff80 broadcast x.x.x.127 >> media: Ethernet autoselect (1000baseTX ) >> status: active >> bce0.11: flags=8843 metric 0 mtu >> 1500 >> options=3 >> ether 00:1f:29:06:85:28 >> inet x.x.x.140 netmask 0xffffffc0 broadcast x.x.x.191 >> media: Ethernet autoselect (1000baseTX ) >> status: active >> vlan: 11 parent interface: bce0 >> >> -- >> > Can you show your complete ruleset? > > After making a simple setup with no vlans, and only one ip on the bce0 interface i tried a ruleset with only one rule. #pass out route-to ( bce0 $defaultgate ) from $localip to any no state Where $defaultgate is the gateway used without the rule too, and $localip is the only ip on the bce0 interface This made scp transfers stall to a near halt too. Trying different options it seems disabling TSO on bce0 works. hw.bce.tso_enable=0 in loader.conf or simply ifconfig bce0 -tso makes the scp transfers run at full speed. Checking with 7.1-RELEASE and 7.0-RELEASE-p4 its the same behavior, so i guess its not the samme error as kern/132176 -- Karsten From owner-freebsd-pf@FreeBSD.ORG Wed May 27 22:08:42 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C78D10656EA for ; Wed, 27 May 2009 22:08:42 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: from mail-ew0-f212.google.com (mail-ew0-f212.google.com [209.85.219.212]) by mx1.freebsd.org (Postfix) with ESMTP id 20F098FC26 for ; Wed, 27 May 2009 22:08:41 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: by ewy8 with SMTP id 8so1316114ewy.43 for ; Wed, 27 May 2009 15:08:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=owP4dys5quOaENn+LrO22gyTpOyphmlpF6vIP7t0Gdk=; b=f+GBzhVQ8dWtBaXbBY+7lyTetoOwXlTpF5RvzlA9lA2lkCO0bwiUKF+fYyp5sCM//M 6Q7dF4JylZegNabUd4bOy5wqqqqvfFpHVeFXcio6qa6Dxf0QEF6w6OQVkjiDmL8yoUAC pIlXTeA3tklQ3Hn0Vj3U1mJ8F/3nqiW3h9Rkk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=S9ragRjE2EowW18qWPwvVvL7r4DJh/G2Mb4TbveIZBYcV4FiB5mLKNazev5Cidd+4q LkXy129QWjU/OZLlwSXdMCsEYTwkCnesYmzVn5vbKT7oshHbRy7+jk9G+HD9Bf5fSWn4 lNe/VfCwWp1dVZ7NR1sV4lhTUF8re0NgwQpV8= MIME-Version: 1.0 Received: by 10.216.70.82 with SMTP id o60mr194052wed.83.1243460530387; Wed, 27 May 2009 14:42:10 -0700 (PDT) Date: Wed, 27 May 2009 18:42:09 -0300 Message-ID: <8e10486b0905271442j224b37f5nceccaba929a08f8a@mail.gmail.com> From: Alexandre Biancalana To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Multiple ftp servers behind pf with carp multi-ip X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 May 2009 22:08:42 -0000 Hi list, I have two firewall with 7.2-STABLE, PF and Carp for failover. The machine have one physical interface dedicated to two internet links (from different providers) and using two vlans on top of this physical interface. Each vlan have one real ip address and a carp interface with multiple real ip addresses for each vlan. I have three ftp servers with invalid ip addresses behind the firewall that need to be accessible from internet. Then I configured ftp-proxy in the following way: ftp-proxy -a -b -p21 -R When ftp_external_ip is an ip associated to the carp interface, the ftp connection is unstable, some times the connection is opened, some times the connection is broken in the middle of list command or before enter the password. If I start the ftp-proxy command using as ftp_external_ip the ip associated with the vlan interface everything works great. This machines are in production, so I'm building a lab with virtual machines to do some experiments and try to reproduce this. Did someone had seen something like this before ? I can provide any additional information needed for help troubleshooting. Best Regards, Alexandre From owner-freebsd-pf@FreeBSD.ORG Wed May 27 22:12:56 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4EBA410656A4 for ; Wed, 27 May 2009 22:12:56 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from mail-fx0-f159.google.com (mail-fx0-f159.google.com [209.85.220.159]) by mx1.freebsd.org (Postfix) with ESMTP id CF8028FC1F for ; Wed, 27 May 2009 22:12:55 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: by fxm3 with SMTP id 3so372544fxm.43 for ; Wed, 27 May 2009 15:12:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=Mr7a/b9Kgh7T9G+kZxPB5s9RszcchyqHujjdUKD2cwk=; b=G2EGQDxPrRjQEYCC+xH3vLSYlyxoKXJz4IHwmlD6O5xGIunqxdXFtqyJusGmvjScs9 v5BElxKrz4ITFZctXBaam5LBnOoiLXTQgsXxoX8BfmHCasZJpcILv8GjUmunN8X/UPZw 26jrYImh2lSjnmYqGk4aJ48zJZAtGACDyKAws= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=U9c1hbDK9lJpKUIAsWqXYGuXRBQaMVLlJuF+oYK6zryTllTuT1tJpQ/yFE8ia1CjWW GnQkRKitrkOyRyBjHl8ET1NyJHhorpLohHlB0KcaTC4eza6pEvIHkI2dzHANsWr+HwwH co01APLExTpvqlg5/l2W5hSSc3ccW4Hu6Xi30= MIME-Version: 1.0 Received: by 10.204.122.74 with SMTP id k10mr427187bkr.129.1243462374435; Wed, 27 May 2009 15:12:54 -0700 (PDT) In-Reply-To: <8e10486b0905271442j224b37f5nceccaba929a08f8a@mail.gmail.com> References: <8e10486b0905271442j224b37f5nceccaba929a08f8a@mail.gmail.com> From: Scott Ullrich Date: Wed, 27 May 2009 18:12:33 -0400 Message-ID: To: Alexandre Biancalana Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Multiple ftp servers behind pf with carp multi-ip X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 May 2009 22:12:56 -0000 On Wed, May 27, 2009 at 5:42 PM, Alexandre Biancalana wrote: > Hi list, > > I have two firewall with 7.2-STABLE, PF and Carp for failover. > > The machine have one physical interface dedicated to two internet > links (from different providers) and using two vlans on top of this > physical interface. Each vlan have one real ip address and a carp > interface with multiple real ip addresses for each vlan. I have three > ftp servers with invalid ip addresses behind the firewall that need to > be accessible from internet. > > Then I configured ftp-proxy in the following way: > > ftp-proxy -a -b -p21 -R > > When ftp_external_ip is an ip associated to the carp interface, the > ftp connection is unstable, some times the connection is opened, some > times the connection is broken in the middle of list command or before > enter the password. If I start the ftp-proxy command using as > ftp_external_ip the ip associated with the vlan interface everything > works great. > > This machines are in production, so I'm building a lab with virtual > machines to do some experiments and try to reproduce this. > > Did someone had seen something like this before ? Sure have with pfSense many times. You might want to give this custom pftpx-route port a try that we have. You can start an instance of pftpx for each wan and then it will do the required route-to work. http://www.pfsense.org/~sullrich/ported_software/pftpx_routeto/ Scott From owner-freebsd-pf@FreeBSD.ORG Thu May 28 17:02:16 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BE1A51065670 for ; Thu, 28 May 2009 17:02:16 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) Received: from relais.videotron.ca (relais.videotron.ca [24.201.245.36]) by mx1.freebsd.org (Postfix) with ESMTP id 97CF48FC12 for ; Thu, 28 May 2009 17:02:16 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=ISO-8859-1; format=flowed Received: from [69.69.69.183] ([69.70.93.206]) by VL-MO-MR002.ip.videotron.ca (Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)) with ESMTP id <0KKD00GWS37OJRD0@VL-MO-MR002.ip.videotron.ca> for freebsd-pf@freebsd.org; Thu, 28 May 2009 12:02:12 -0400 (EDT) Message-id: <4A1EB5A0.7030206@optiksecurite.com> Date: Thu, 28 May 2009 12:02:40 -0400 From: Martin Turgeon User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) To: freebsd-pf@freebsd.org Subject: State Mismatch and tcp.closed X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 May 2009 17:02:17 -0000 Hi list! I had a problem with state mismatch on my DB server that I solved by lowering the tcp.closed timeout. I setted it to 2 instead of 90. I now have what looks like the same problem on the front-end web server. However, when I tried to apply the same fix, I got connection problem with the back-end DB, but the state mismatch disappearred. On the front-end web server, the state mismatch occurs on the external interface, only on port 80. I enabled misc debugging and got this in /var/log/messages on the front-end web server: May 28 05:02:19 francis kernel: pf: BAD state: TCP 127.0.0.25:80 206.125.166.65:80 98.207.239.10:54737 [lo=820536733 high=820603340 win=65535 modulator=0 wscale=0] [lo=2871317100 high=2871375106 win=8326 modulator=0 wscale=3] 7:4 R seq=820536733 (820536732) ack=2871317100 len=0 ackskew=0 pkts=43:69 dir=in,fwd May 28 05:02:19 francis kernel: pf: State failure on: | May 28 05:02:19 francis kernel: pf: BAD state: TCP 127.0.0.25:80 206.125.166.65:80 98.207.239.10:54733 [lo=374985971 high=375052578 win=65535 modulator=0 wscale=0] [lo=2999164748 high=2999229169 win=8326 modulator=0 wscale=3] 7:4 R seq=374985971 (374985970) ack=2999164748 len=0 ackskew=0 pkts=40:54 dir=in,fwd May 28 05:02:19 francis kernel: pf: State failure on: | May 28 05:03:06 francis kernel: pf: BAD state: TCP 127.0.0.20:80 206.125.166.80:80 123.116.84.41:59776 [lo=3407758259 high=3407823796 win=4096 modulator=0 wscale=2] [lo=374200006 high=374216390 win=8192 modulator=0 wscale=3] 4:2 A seq=3407758259 (3407758260) ack=2320196160 len=0 ackskew=-1945996154 pkts=1:1 dir=in,fwd May 28 05:03:06 francis kernel: pf: State failure on: 3 | May 28 05:03:06 francis kernel: pf: BAD state: TCP 127.0.0.20:80 206.125.166.80:80 123.116.84.41:59776 [lo=3407758259 high=3407823796 win=4096 modulator=0 wscale=2] [lo=374200006 high=374216390 win=8192 modulator=0 wscale=3] 4:2 RA seq=3407758259 (3407758260) ack=2320196160 len=0 ackskew=-1945996154 pkts=1:1 dir=in,fwd This server has been up for 12 days and already got almost 600000 state mismatch! I tried to lower tcp.finwait, no result. I tried to set optimization to aggressive, no result. I tried to disable port randomization via sysctl, no result either. I tcpdumped and there is only a few RST so I don't understand why tcp.closed would solve my problem. If it's a problem with source port reuse, tcp.finwait should be the timeout that would help, not tcp.closed, right? How can a lower tcp.closed on the front-end cause mysql connection problem with the back-end? I tcpdumped while there is a connection problem with the DB and there is nothing that seems wrong, no RST at all! The front-end web server tries to connect to the DB, wait 3 sec and if it fails to establish a connection, it then tries to connect to a read-only backup DB, on another server, which never fails to connect. The only thing I'm sure is that it's the tcp.closed that cause the DB connection problem. As soon as I remove it, the state mismatch comes back on the external interface but there's no DB connection problem anymore. What am I missing? Martin From owner-freebsd-pf@FreeBSD.ORG Thu May 28 17:10:27 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6A1D61065680 for ; Thu, 28 May 2009 17:10:27 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id 0024F8FC0C for ; Thu, 28 May 2009 17:10:26 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-039-161.pools.arcor-ip.net [88.66.39.161]) by mrelayeu.kundenserver.de (node=mreu0) with ESMTP (Nemesis) id 0MKuxg-1M9j7Z18rN-000cOD; Thu, 28 May 2009 19:10:25 +0200 Received: (qmail 25286 invoked from network); 28 May 2009 17:10:25 -0000 Received: from kvm.laiers.local (HELO kvm.localnet) (192.168.4.187) by ns1.laiers.local with SMTP; 28 May 2009 17:10:25 -0000 From: Max Laier To: freebsd-pf@freebsd.org Date: Thu, 28 May 2009 19:10:24 +0200 User-Agent: KMail/1.11.3 (Linux/2.6.30-rc5-ARCH; KDE/4.2.3; x86_64; ; ) References: <4A1EB5A0.7030206@optiksecurite.com> In-Reply-To: <4A1EB5A0.7030206@optiksecurite.com> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200905281910.24809.max@love2party.net> X-Provags-ID: V01U2FsdGVkX19jYYBnIHgdUJUI7JMoGBIXdISXNzJ995ufM0c udcQC9fiLB7zyJiYTs8E0O7CArmJhbDX/nygpfCSzBMYyjXX0c CrFmtTaAZQBy9fIq82C9g== Subject: Re: State Mismatch and tcp.closed X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 May 2009 17:10:27 -0000 On Thursday 28 May 2009 18:02:40 Martin Turgeon wrote: > What am I missing? Which version of FreeBSD are you running? This problem (aka kern/125261) is supposed to be fixed by: SVN rev 181295 on 2008-08-04 14:42:09Z by mlaier (in head) and SVN rev 181596 on 2008-08-11 17:59:47Z by mlaier (in stable/7) It is not easily fixable in stable/6 -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-pf@FreeBSD.ORG Thu May 28 18:02:11 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D36D2106564A for ; Thu, 28 May 2009 18:02:11 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) Received: from relais.videotron.ca (relais.videotron.ca [24.201.245.36]) by mx1.freebsd.org (Postfix) with ESMTP id AADD28FC15 for ; Thu, 28 May 2009 18:02:11 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) MIME-version: 1.0 Content-transfer-encoding: 8BIT Content-type: text/plain; charset=ISO-8859-1; format=flowed Received: from [69.69.69.183] ([69.70.93.206]) by VL-MO-MR005.ip.videotron.ca (Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)) with ESMTP id <0KKD0090J8PNQBZ0@VL-MO-MR005.ip.videotron.ca> for freebsd-pf@freebsd.org; Thu, 28 May 2009 14:00:59 -0400 (EDT) Message-id: <4A1ED1BD.3010504@optiksecurite.com> Date: Thu, 28 May 2009 14:02:37 -0400 From: Martin Turgeon User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) To: Max Laier References: <4A1EB5A0.7030206@optiksecurite.com> <200905281910.24809.max@love2party.net> In-reply-to: <200905281910.24809.max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: State Mismatch and tcp.closed X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 May 2009 18:02:12 -0000 Max Laier a écrit : > On Thursday 28 May 2009 18:02:40 Martin Turgeon wrote: >> What am I missing? > > Which version of FreeBSD are you running? This problem (aka kern/125261) > is supposed to be fixed by: > > SVN rev 181295 on 2008-08-04 14:42:09Z by mlaier (in head) and > SVN rev 181596 on 2008-08-11 17:59:47Z by mlaier (in stable/7) > > It is not easily fixable in stable/6 > Hi and thanks for your answer! uname -a on the front-end web server: FreeBSD webserver 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri May 1 07:18:07 UTC 2009 root@driscoll.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 uname -a on the back-end MySQL server: FreeBSD mysql 7.0-RELEASE-p5 FreeBSD 7.0-RELEASE-p5 #1: Tue Oct 7 09:57:31 EDT 2008 root@martin.ringadmin.com:/usr/obj/usr/src/sys/OPTIK amd64 Martin From owner-freebsd-pf@FreeBSD.ORG Thu May 28 18:25:21 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 61279106564A for ; Thu, 28 May 2009 18:25:21 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: from mail-ew0-f212.google.com (mail-ew0-f212.google.com [209.85.219.212]) by mx1.freebsd.org (Postfix) with ESMTP id E040D8FC1D for ; Thu, 28 May 2009 18:25:20 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: by ewy8 with SMTP id 8so2155544ewy.43 for ; Thu, 28 May 2009 11:25:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=Dh6Pc9kIXkWVCpGapoFZKgyeS1bTVhUb4THVgjN6I3s=; b=jFTS0inb7A80s7Q+DkVvKms8P1Hqqt5hYXYZCyvTcRQPqCb6mlf3hVPEWU4ehXowsp v9ygEUOsAxFF0Gsy8eK3Z2hkEoHwfO0O698PsL7JYlELGjfvwI46OhmlEnSFtN06SWdV Gj8O6Tigbq1KaIv2jIfYKozWQpOHE9sKS+0Ww= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=RKfInVxOI0pdHuzq5ogSmO/oKLkT3hXZ6gaHMnjfW/Uo69miM2IoR7V45gT0vfltDC P0UcD8bPUpUaQsa1Wd9iFVexPIWYofwlNs1ypL+gjuVHnZIjHXxbNWNC9H8Ag0x84+8L f8/fj84tbVW2o3tU4BjIdPjDuoMoGdkRqpZOg= MIME-Version: 1.0 Received: by 10.216.71.205 with SMTP id r55mr608021wed.56.1243535119898; Thu, 28 May 2009 11:25:19 -0700 (PDT) In-Reply-To: References: <8e10486b0905271442j224b37f5nceccaba929a08f8a@mail.gmail.com> Date: Thu, 28 May 2009 15:25:19 -0300 Message-ID: <8e10486b0905281125l662e1f98r5b5a68e172d56684@mail.gmail.com> From: Alexandre Biancalana To: Scott Ullrich Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: Multiple ftp servers behind pf with carp multi-ip X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 May 2009 18:25:21 -0000 On Wed, May 27, 2009 at 7:12 PM, Scott Ullrich wrote: > On Wed, May 27, 2009 at 5:42 PM, Alexandre Biancalana > wrote: >> Hi list, >> >> I have two firewall with 7.2-STABLE, PF and Carp for failover. >> >> The machine have one physical interface dedicated to two internet >> links (from different providers) and using two vlans on top of this >> physical interface. Each vlan have one real ip address and a carp >> interface with multiple real ip addresses for each vlan. I have three >> ftp servers with invalid ip addresses behind the firewall that need to >> be accessible from internet. >> >> Then I configured ftp-proxy in the following way: >> >> ftp-proxy -a -b -p21 -R >> >> When ftp_external_ip is an ip associated to the carp interface, the >> ftp connection is unstable, some times the connection is opened, some >> times the connection is broken in the middle of list command or before >> enter the password. If I start the ftp-proxy command using as >> ftp_external_ip the ip associated with the vlan interface everything >> works great. >> >> This machines are in production, so I'm building a lab with virtual >> machines to do some experiments and try to reproduce this. >> >> Did someone had seen something like this before ? > > Sure have with pfSense many times. =A0 =A0You might want to give this > custom pftpx-route port a try that we have. =A0You can start an instance > of pftpx for each wan and then it will do the required route-to work. > > http://www.pfsense.org/~sullrich/ported_software/pftpx_routeto/ Hi Scott, Thank you for your reply. Against what versions o pftpx this patch can be applied ? I'm running 7.2-STABLE on amd64 and the binary file supplied does not work= . Best Regards, Alexandre Biancalana From owner-freebsd-pf@FreeBSD.ORG Thu May 28 18:38:07 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 89EEC106566B for ; Thu, 28 May 2009 18:38:07 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 103258FC15 for ; Thu, 28 May 2009 18:38:06 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: by bwz9 with SMTP id 9so5723735bwz.43 for ; Thu, 28 May 2009 11:38:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=y9w4ylKk1UVSJOe9mg3I2WPf0a0cKvS32lO8kAbwN0w=; b=vrAmWr+EW0wqE0XkKnqlOkyQlWYAl7PU9IXGeAiKNyk72BV2MKKLs2KpaDT+HFsj00 OpyULZjZaixfXXTr2CRhqptUlCex6sSQ/dzVTTpeIZVT1ZYDBe6Vn2+jFSWZGM0cVgRd rESEQukNGzeGkUKPpNmwl5eemBAUXxoSusZew= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=UhcsuGtTwrEyUVK/QGr2b8lC28zP+OPl6iNWKzSXoP4+pQkLnJ7yNfTTohtMQZ9v40 89L/Zf7KgZSbfD1xcEzpTBmcuV3DrWqyDARIe7QK9VdZtZLFzYJFpzxHKlQ0clxdmwXD IPMgajS+5iTi7MJ2Ty6rGoBgn6IQAkGR7B+oM= MIME-Version: 1.0 Received: by 10.204.66.135 with SMTP id n7mr1467949bki.155.1243535885490; Thu, 28 May 2009 11:38:05 -0700 (PDT) In-Reply-To: <8e10486b0905281125l662e1f98r5b5a68e172d56684@mail.gmail.com> References: <8e10486b0905271442j224b37f5nceccaba929a08f8a@mail.gmail.com> <8e10486b0905281125l662e1f98r5b5a68e172d56684@mail.gmail.com> From: Scott Ullrich Date: Thu, 28 May 2009 14:37:45 -0400 Message-ID: To: Alexandre Biancalana Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: Multiple ftp servers behind pf with carp multi-ip X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 May 2009 18:38:07 -0000 On Thu, May 28, 2009 at 2:25 PM, Alexandre Biancalana wrote: > =A0Thank you for your reply. > > =A0Against what versions o pftpx this patch can be applied ? > =A0I'm running 7.2-STABLE on amd64 and the binary file supplied does not = work. There is a pftpx port in the ports tree. You should be able to drop the patch- file into the files folder and: make clean extract patch If all goes well then do a: make install Let me know if you need further help or if you want me to I can build you a pftpx that will run on 7.2. I have 5 builders here at my disposal that pfSense uses. Scott From owner-freebsd-pf@FreeBSD.ORG Thu May 28 20:17:53 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E5EC41065708 for ; Thu, 28 May 2009 20:17:53 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: from mail-ew0-f212.google.com (mail-ew0-f212.google.com [209.85.219.212]) by mx1.freebsd.org (Postfix) with ESMTP id 478398FC1C for ; Thu, 28 May 2009 20:17:53 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: by ewy8 with SMTP id 8so2259333ewy.43 for ; Thu, 28 May 2009 13:17:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=ezj3qUXi6cRiabctTVR391tyD7k0OUveVnDmBaupgAI=; b=uTr2q7jHRvxtFw7yL4ClQtNUSASM5JAL3I0DrfFRGIDytycNoHr4O1rQ1TNzKMVBdE ChCi2h571fUuQFUl/4UjjUFJGuLISYMecmgERsnNjBwNN5Xm2DDHsXF+F273+HEMNnkg A1zhiWQUj9OqNjOpKUs0I0LEyput6XE8FIrZM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=dG+1weKMmcIQ7rNIHtvyBowGMLM0rKXeoTWDbQ0JJTDMVW4vHH5SAn7E/PhJojrKpY jkJEMRstEH/RkodVs+yHNHHKMQXpu3VSqn1LTWsdhQBi84868rVupkhX8muDUy/qaGVh kCRp1BjBXrlDUNtABTFR3NCYIeoC4wTG5jsYA= MIME-Version: 1.0 Received: by 10.216.55.201 with SMTP id k51mr625060wec.184.1243541872265; Thu, 28 May 2009 13:17:52 -0700 (PDT) In-Reply-To: References: <8e10486b0905271442j224b37f5nceccaba929a08f8a@mail.gmail.com> <8e10486b0905281125l662e1f98r5b5a68e172d56684@mail.gmail.com> Date: Thu, 28 May 2009 17:17:52 -0300 Message-ID: <8e10486b0905281317h40250894rb98d19f063cd8a1c@mail.gmail.com> From: Alexandre Biancalana To: Scott Ullrich Content-Type: multipart/mixed; boundary=0016e6dbe2ae8f4a6a046afea73b X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: Multiple ftp servers behind pf with carp multi-ip X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 May 2009 20:17:54 -0000 --0016e6dbe2ae8f4a6a046afea73b Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On Thu, May 28, 2009 at 3:37 PM, Scott Ullrich wrote: > On Thu, May 28, 2009 at 2:25 PM, Alexandre Biancalana > wrote: >> =A0Thank you for your reply. >> >> =A0Against what versions o pftpx this patch can be applied ? >> =A0I'm running 7.2-STABLE on amd64 and the binary file supplied does not= work. > > There is a pftpx port in the ports tree. =A0 You should be able to drop > the patch- file into the files folder and: > > make clean extract patch > The patch does not apply clearly, I merge they by hand (the final diff is attached) and compiled Ok. I will give a try and let you know. I'm curious about the two new command line options -i and -2, what's the exacly purpose of this options ? Alexandre --0016e6dbe2ae8f4a6a046afea73b-- From owner-freebsd-pf@FreeBSD.ORG Thu May 28 20:23:59 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2DB2C106567D for ; Thu, 28 May 2009 20:23:59 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id A9CAD8FC16 for ; Thu, 28 May 2009 20:23:58 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: by bwz9 with SMTP id 9so5787818bwz.43 for ; Thu, 28 May 2009 13:23:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=fGt9oCzateQZSf8KRUul0l7X5BAQN4FXdSEWxnxXQbM=; b=ef8X/dG333Zt3yLaOjLhwVzJGBCSriOmkiL00ZwfSj2ETKOo3tisT8cGOi/W9lPuv3 9igHvsDQQPOQyIYSCUZFG5m/ez66kFvqNVP5QAns8p4DNPKtODUo96cEKzSuKQBUk0tt 9jv4fftPT1sEGZWF7g7W47lyzZi7jO4vQR0OE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=NsErxyBngo/Im+0EgI2I1alkIJCSj7AjW5NiA+xpWeeIpEG84WQj62svHYG6xPWese Vv5bZ9cBAC3CEx+qDqiSmnvNQhBwD8WSE6om6m36GzmlnCv5cxwSs5VINyVHMMtiv5W2 PQa+PiPZhPofGso53pHEqNEaVcT13wyOg3RxM= MIME-Version: 1.0 Received: by 10.204.31.71 with SMTP id x7mr1581715bkc.2.1243542237176; Thu, 28 May 2009 13:23:57 -0700 (PDT) In-Reply-To: <8e10486b0905281317h40250894rb98d19f063cd8a1c@mail.gmail.com> References: <8e10486b0905271442j224b37f5nceccaba929a08f8a@mail.gmail.com> <8e10486b0905281125l662e1f98r5b5a68e172d56684@mail.gmail.com> <8e10486b0905281317h40250894rb98d19f063cd8a1c@mail.gmail.com> From: Scott Ullrich Date: Thu, 28 May 2009 16:23:37 -0400 Message-ID: To: Alexandre Biancalana Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Multiple ftp servers behind pf with carp multi-ip X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 May 2009 20:23:59 -0000 On Thu, May 28, 2009 at 4:17 PM, Alexandre Biancalana wrote: > The patch does not apply clearly, I merge they by hand (the final diff > is attached) and compiled Ok. I will give a try and let you know. > > I'm curious about the two new command line options -i and -2, what's > the exacly purpose of this options ? That might be a little bit outdated. The most up to date port is here: http://redmine.pfsense.org/repositories/browse/pfsense-tools/pfPorts/pftpx-routeto I quickly glanced at the source and did not see the -i argument but the -2 argument should be the routeto IP address: if (routeto) { memset(&hints, 0, sizeof hints); hints.ai_flags = AI_NUMERICHOST; hints.ai_family = ipv6_mode ? AF_INET6 : AF_INET; hints.ai_socktype = SOCK_STREAM; error = getaddrinfo(routeto, NULL, &hints, &res); if (error) errx(1, "getaddrinfo route-to address failed: %s", gai_strerror(error)); memcpy(&routeto_ss, res->ai_addr, res->ai_addrlen); logmsg(LOG_INFO, "using route-to (%s %s)", routeto_if, sock_ntop(sstosa(&routeto_ss))); freeaddrinfo(res); } Scott From owner-freebsd-pf@FreeBSD.ORG Thu May 28 20:40:16 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9127E106566B for ; Thu, 28 May 2009 20:40:16 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: from mail-ew0-f212.google.com (mail-ew0-f212.google.com [209.85.219.212]) by mx1.freebsd.org (Postfix) with ESMTP id 156E58FC1C for ; Thu, 28 May 2009 20:40:15 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: by ewy8 with SMTP id 8so2280012ewy.43 for ; Thu, 28 May 2009 13:40:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=3NYo48ssu5JXYa7i0t5XrXvvC2olEKN0IHgYG3KcGKY=; b=ALTkblYbNfpoD/dI3WD8zTFMwGVWhc2xW9cXslr5gb6FLLHKfUrF0I/g0F3J9bPvxL Hhdpl96/aGgruUKfZL8C91s/45fSV60FPre2BMeMbucZu+IxUZw6PIUeNIOJgq9XQs9a k3mgcptw907/9YZO5AZIq3aDorJpgTLIVUM6o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=ch/RWm9j446DDuevpFWQoThpNLOfIGUs6ucKc68pz4qJCJhtq3UYJpzAhYEswb6o25 F2t2EPKpMB6uW9aV5do57CX4rHerieW41g+ONvqPnwldPd+GW6fNYwXXl84LwXC8/yEv Dy6EfpHreSWjR2YJQdEISTJ9+DQV3eZhJb2N0= MIME-Version: 1.0 Received: by 10.216.53.83 with SMTP id f61mr685613wec.33.1243543214933; Thu, 28 May 2009 13:40:14 -0700 (PDT) In-Reply-To: References: <8e10486b0905271442j224b37f5nceccaba929a08f8a@mail.gmail.com> <8e10486b0905281125l662e1f98r5b5a68e172d56684@mail.gmail.com> <8e10486b0905281317h40250894rb98d19f063cd8a1c@mail.gmail.com> Date: Thu, 28 May 2009 17:40:14 -0300 Message-ID: <8e10486b0905281340i588eea3cj16fc6dd745c3e2ff@mail.gmail.com> From: Alexandre Biancalana To: Scott Ullrich Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: Multiple ftp servers behind pf with carp multi-ip X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 May 2009 20:40:16 -0000 On Thu, May 28, 2009 at 5:23 PM, Scott Ullrich wrote: > On Thu, May 28, 2009 at 4:17 PM, Alexandre Biancalana > wrote: >> The patch does not apply clearly, I merge they by hand (the final diff >> is attached) and compiled Ok. I will give a try and let you know. >> >> I'm curious about the two new command line options -i and -2, what's >> the exacly purpose of this options ? > > That might be a little bit outdated. =A0The most up to date port is > here: http://redmine.pfsense.org/repositories/browse/pfsense-tools/pfPort= s/pftpx-routeto > > I quickly glanced at the source and did not see the -i argument but > the -2 argument should be the routeto IP address: > > =A0 =A0 =A0 =A0if (routeto) { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0memset(&hints, 0, sizeof hints); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0hints.ai_flags =3D AI_NUMERICHOST; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0hints.ai_family =3D ipv6_mode ? AF_INET6 := AF_INET; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0hints.ai_socktype =3D SOCK_STREAM; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0error =3D getaddrinfo(routeto, NULL, &hint= s, &res); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0if (error) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0errx(1, "getaddrinfo route= -to address failed: %s", > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0gai_strerror(error= )); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0memcpy(&routeto_ss, res->ai_addr, res->ai_= addrlen); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0logmsg(LOG_INFO, "using route-to (%s %s)",= routeto_if, > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0sock_ntop(sstosa(&routeto_ss))); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0freeaddrinfo(res); > =A0 =A0 =A0 =A0} Does not work :-( The client side the error happen in a intermittent manner: Pink:/usr/home/ale $ ftp xxx.xxx.11.130 Connected to xxx.xxx.11.130. 220-Microsoft FTP Service 220 FTP SERVER Name (xxx.xxx.11.130:ale): user 421 Service not available, remote server has closed connection. ftp: Login failed. ftp> quit Pink:/usr/home/ale $ ftp xxx.xxx.11.130 Connected to xxx.xxx.11.130. 421 Service not available, remote server has closed connection. ftp> quit Pink:/usr/home/ale $ ftp xxx.xxx.11.130 Connected to xxx.xxx.11.130. 220-Microsoft FTP Service 220 FTP SERVER Name (xxx.xxx.11.130:ale): user 331 Password required for user. Password: 421 Service not available, remote server has closed connection. ftp: Login failed. ftp> the server side looks like this: FW1:/usr/ports/ftp/pftpx # pftpx -D7 -d -c 8023 -f 192.168.0.80 -p 192.168.0.253 using 192.168.0.253 to connect to servers using route-to (lo0 127.0.0.1) using fixed server 192.168.0.80 listening on 127.0.0.1 port 8023 #1 accepted connection from xxx.xxx.153.79 #1 FTP session 1/100 started: client xxx.xxx.153.79 to server 192.168.0.80 via proxy 192.168.0.253 #1 server: 220-Microsoft FTP Service\r\n #1 server: 220 FTP SERVER\r\n #2 accepted connection from xxx.xxx.153.79 #2 FTP session 2/100 started: client xxx.xxx.153.79 to server 192.168.0.80 via proxy 192.168.0.253 #2 server: 220-Microsoft FTP Service\r\n #1 server: 220 FTP SERVER\r\n #2 client: USER user\r\n #2 server: 331 Password required for user.\r\n #2 client reset connection #2 ending session Any other idea ? Alexandre From owner-freebsd-pf@FreeBSD.ORG Thu May 28 20:43:30 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 11FDA1065670 for ; Thu, 28 May 2009 20:43:30 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 38CC68FC1A for ; Thu, 28 May 2009 20:43:28 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: by bwz9 with SMTP id 9so5799754bwz.43 for ; Thu, 28 May 2009 13:43:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=k0aA1V7ka01Ucu5lSBd2XHBAE1z0kuA7RHkKaAjM4vg=; b=nDAs9dm2Mn05FfpQertnwdYTfCEh6SqMuL2bLK5sohnAbJTISwkhqcOOYivjxdiLNZ 5bNgecvG4Pd9WO8rXObwBLlajdIS8N+zy9KyRYtQebPLT+BHAQNYTEgXEbAGw5qY3KPV KAjDGGxnMvj66owZiAtFG9FfYxUxbnIe9FexA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=lygNt3UGnXtM5X1f76UiuIzLZb1+fH3CB7tx4Ga+TFCcS/SmlmLqu1qFQUZZ96q0Ip 02bQWZyg0WFH9juV/fvgApeU9PJiGVGaA9+CvsUIUvMioSMKWXgMraaIhgDAJjUBUyJM pVX8UxMNC7Zm4d4konU+FDh1d1wSZSBI9y7Rg= MIME-Version: 1.0 Received: by 10.204.115.67 with SMTP id h3mr1556011bkq.173.1243543406929; Thu, 28 May 2009 13:43:26 -0700 (PDT) In-Reply-To: <8e10486b0905281340i588eea3cj16fc6dd745c3e2ff@mail.gmail.com> References: <8e10486b0905271442j224b37f5nceccaba929a08f8a@mail.gmail.com> <8e10486b0905281125l662e1f98r5b5a68e172d56684@mail.gmail.com> <8e10486b0905281317h40250894rb98d19f063cd8a1c@mail.gmail.com> <8e10486b0905281340i588eea3cj16fc6dd745c3e2ff@mail.gmail.com> From: Scott Ullrich Date: Thu, 28 May 2009 16:42:59 -0400 Message-ID: To: Alexandre Biancalana Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: Multiple ftp servers behind pf with carp multi-ip X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 May 2009 20:43:30 -0000 On Thu, May 28, 2009 at 4:40 PM, Alexandre Biancalana wrote: [snip] > FW1:/usr/ports/ftp/pftpx # =A0pftpx -D7 -d -c 8023 -f 192.168.0.80 -p > 192.168.0.253 > using 192.168.0.253 to connect to servers > using route-to (lo0 127.0.0.1) > using fixed server 192.168.0.80 > listening on 127.0.0.1 port 8023 You might want to set the -2 route-to parameter to something other than localhost? Scott From owner-freebsd-pf@FreeBSD.ORG Thu May 28 20:46:37 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1FBD4106567E for ; Thu, 28 May 2009 20:46:37 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: from mail-ew0-f212.google.com (mail-ew0-f212.google.com [209.85.219.212]) by mx1.freebsd.org (Postfix) with ESMTP id 9CBFD8FC18 for ; Thu, 28 May 2009 20:46:36 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: by ewy8 with SMTP id 8so2285949ewy.43 for ; Thu, 28 May 2009 13:46:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=A1exe4+6ZzmX/ZYDtityNRgFFdj75P0pYXPkVtf9iKg=; b=i0X7yRP5S+L1vtiwGKjYZLDQVOfak72nQkaAANdvyVOqWoO0v/yOuXbPO6mrE47WsG Ims1jQpVhkHm8CdWqSMzTjFOCPF8RnSyNhMy4eTU0ISCB6kuWOhIe5lhOztenCeolT5n flKDcNma4VwuGbzAdsV/NeUn1Nbd80X9Ry7xM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=SvcMjl2GchawA8zX0swr7nnajLbFXtBDff5uHa3u2HIM10EH/qj2al6NWaoUbX4GVm IBjIQbd5qzMMWTW+dXZnv7mb3ekifHp5YhhxfRWONe2nSeuGIv0Kge+83QsZycLP7f7V QMiL4ny56i2Kh1rjCVAPBsvnkxwQKEaBN2XCM= MIME-Version: 1.0 Received: by 10.216.72.206 with SMTP id t56mr681288wed.31.1243543595583; Thu, 28 May 2009 13:46:35 -0700 (PDT) In-Reply-To: References: <8e10486b0905271442j224b37f5nceccaba929a08f8a@mail.gmail.com> <8e10486b0905281125l662e1f98r5b5a68e172d56684@mail.gmail.com> <8e10486b0905281317h40250894rb98d19f063cd8a1c@mail.gmail.com> <8e10486b0905281340i588eea3cj16fc6dd745c3e2ff@mail.gmail.com> Date: Thu, 28 May 2009 17:46:35 -0300 Message-ID: <8e10486b0905281346k2ff3e068l52e95055f7e1e412@mail.gmail.com> From: Alexandre Biancalana To: Scott Ullrich Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: Multiple ftp servers behind pf with carp multi-ip X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 May 2009 20:46:37 -0000 On Thu, May 28, 2009 at 5:42 PM, Scott Ullrich wrote: > On Thu, May 28, 2009 at 4:40 PM, Alexandre Biancalana > wrote: > [snip] >> FW1:/usr/ports/ftp/pftpx # =A0pftpx -D7 -d -c 8023 -f 192.168.0.80 -p >> 192.168.0.253 >> using 192.168.0.253 to connect to servers >> using route-to (lo0 127.0.0.1) >> using fixed server 192.168.0.80 >> listening on 127.0.0.1 port 8023 > > You might want to set the -2 route-to parameter to something other > than localhost? I forget to mention that I already do that, setting the -2 parameter to the default router and the problem remains the same. From owner-freebsd-pf@FreeBSD.ORG Thu May 28 21:17:36 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 152BD10657B3 for ; Thu, 28 May 2009 21:17:36 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 88CC08FC1D for ; Thu, 28 May 2009 21:17:35 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: by bwz9 with SMTP id 9so5819544bwz.43 for ; Thu, 28 May 2009 14:17:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=78c5aKbtT1E3e3XfJtlMQi3OEctqnwYZhWhbgFV+rMQ=; b=AY+ndfA67prNUjEI0PXN4x3NCj/R8NpqrkG/flhizyc8k3LskqNIFXdPgZrJ76O5qW gZep4G9utInjfMbQ+Wf5cQb2hFWzwbdt8ZXDzmxh8dE72baHea90RYt+9xvl1ZYXEy5N hSQt1itU7yHePsWmXXYzhY57ICXvDqWoK4+zw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; b=XWsvJUiiku97by9Umjfl8yquWcbrmRWeAC2OVKyIMSQuxCjGt3wAIG4Nfc8u2DBQxN yglUaQwTEw5iqmRuyKHph+Nf9IE1Kvg26aOoJ1TMyeDl2+/gUd2NmZYGz9qr5Y82adA9 0K3Ap33+3KXojTtrcfxtddLTMS02CkxP5h5/Y= MIME-Version: 1.0 Received: by 10.204.66.135 with SMTP id n7mr1606597bki.155.1243545454392; Thu, 28 May 2009 14:17:34 -0700 (PDT) In-Reply-To: <8e10486b0905281346k2ff3e068l52e95055f7e1e412@mail.gmail.com> References: <8e10486b0905271442j224b37f5nceccaba929a08f8a@mail.gmail.com> <8e10486b0905281125l662e1f98r5b5a68e172d56684@mail.gmail.com> <8e10486b0905281317h40250894rb98d19f063cd8a1c@mail.gmail.com> <8e10486b0905281340i588eea3cj16fc6dd745c3e2ff@mail.gmail.com> <8e10486b0905281346k2ff3e068l52e95055f7e1e412@mail.gmail.com> From: Scott Ullrich Date: Thu, 28 May 2009 17:17:14 -0400 Message-ID: To: Alexandre Biancalana Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Multiple ftp servers behind pf with carp multi-ip X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 May 2009 21:17:36 -0000 On Thu, May 28, 2009 at 4:46 PM, Alexandre Biancalana wrote: > I forget to mention that I already do that, setting the -2 parameter > to the default router and the problem remains the same. Sorry that did not work out for you. I do not recall the pftp parameters that I used to use for incoming but I believe I forced the FTP proxy to listen on the public IP and then there was a server parameter that forced it to connect back to the internal server. If you feel like experimenting a bit more you can try our latest mojo which is pf libalias integration. It basically lets libalias handle all incoming and outgoing ftp traffic magically. However if you take this route please be advised that the patch is new but tested. Recommend running DDB just in case of a crash so we can get Ermal Luci a bt. http://cvs.pfsense.com/~sullrich/nat_ftphelper.RELENG_7.diff Scott From owner-freebsd-pf@FreeBSD.ORG Fri May 29 15:32:18 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1E6F6106566C for ; Fri, 29 May 2009 15:32:18 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) Received: from relais.videotron.ca (relais.videotron.ca [24.201.245.36]) by mx1.freebsd.org (Postfix) with ESMTP id EB8658FC20 for ; Fri, 29 May 2009 15:32:17 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) MIME-version: 1.0 Content-transfer-encoding: 8BIT Content-type: text/plain; charset=ISO-8859-1; format=flowed Received: from [69.69.69.183] ([69.70.93.206]) by VL-MO-MR004.ip.videotron.ca (Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)) with ESMTP id <0KKE002AGWHS8VG0@VL-MO-MR004.ip.videotron.ca> for freebsd-pf@freebsd.org; Fri, 29 May 2009 11:32:17 -0400 (EDT) Message-id: <4A20001E.5000407@optiksecurite.com> Date: Fri, 29 May 2009 11:32:46 -0400 From: Martin Turgeon User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) To: freebsd-pf@freebsd.org References: <4A1EB5A0.7030206@optiksecurite.com> In-reply-to: <4A1EB5A0.7030206@optiksecurite.com> Subject: Re: State Mismatch and tcp.closed X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 May 2009 15:32:18 -0000 Martin Turgeon a écrit : > Hi list! > > I had a problem with state mismatch on my DB server that I solved by > lowering the tcp.closed timeout. I setted it to 2 instead of 90. > > I now have what looks like the same problem on the front-end web server. > However, when I tried to apply the same fix, I got connection problem > with the back-end DB, but the state mismatch disappearred. > > On the front-end web server, the state mismatch occurs on the external > interface, only on port 80. > > I enabled misc debugging and got this in /var/log/messages on the > front-end web server: > > May 28 05:02:19 francis kernel: pf: BAD state: TCP 127.0.0.25:80 > 206.125.166.65:80 98.207.239.10:54737 [lo=820536733 high=820603340 > win=65535 modulator=0 wscale=0] [lo=2871317100 high=2871375106 win=8326 > modulator=0 wscale=3] 7:4 R seq=820536733 (820536732) ack=2871317100 > len=0 ackskew=0 pkts=43:69 dir=in,fwd > May 28 05:02:19 francis kernel: pf: State failure on: | > May 28 05:02:19 francis kernel: pf: BAD state: TCP 127.0.0.25:80 > 206.125.166.65:80 98.207.239.10:54733 [lo=374985971 high=375052578 > win=65535 modulator=0 wscale=0] [lo=2999164748 high=2999229169 win=8326 > modulator=0 wscale=3] 7:4 R seq=374985971 (374985970) ack=2999164748 > len=0 ackskew=0 pkts=40:54 dir=in,fwd > May 28 05:02:19 francis kernel: pf: State failure on: | > May 28 05:03:06 francis kernel: pf: BAD state: TCP 127.0.0.20:80 > 206.125.166.80:80 123.116.84.41:59776 [lo=3407758259 high=3407823796 > win=4096 modulator=0 wscale=2] [lo=374200006 high=374216390 win=8192 > modulator=0 wscale=3] 4:2 A seq=3407758259 (3407758260) ack=2320196160 > len=0 ackskew=-1945996154 pkts=1:1 dir=in,fwd > May 28 05:03:06 francis kernel: pf: State failure on: 3 | > May 28 05:03:06 francis kernel: pf: BAD state: TCP 127.0.0.20:80 > 206.125.166.80:80 123.116.84.41:59776 [lo=3407758259 high=3407823796 > win=4096 modulator=0 wscale=2] [lo=374200006 high=374216390 win=8192 > modulator=0 wscale=3] 4:2 RA seq=3407758259 (3407758260) ack=2320196160 > len=0 ackskew=-1945996154 pkts=1:1 dir=in,fwd > > This server has been up for 12 days and already got almost 600000 state > mismatch! > > I tried to lower tcp.finwait, no result. I tried to set optimization to > aggressive, no result. I tried to disable port randomization via sysctl, > no result either. > > I tcpdumped and there is only a few RST so I don't understand why > tcp.closed would solve my problem. If it's a problem with source port > reuse, tcp.finwait should be the timeout that would help, not > tcp.closed, right? > > How can a lower tcp.closed on the front-end cause mysql connection > problem with the back-end? I tcpdumped while there is a connection > problem with the DB and there is nothing that seems wrong, no RST at > all! The front-end web server tries to connect to the DB, wait 3 sec and > if it fails to establish a connection, it then tries to connect to a > read-only backup DB, on another server, which never fails to connect. > > The only thing I'm sure is that it's the tcp.closed that cause the DB > connection problem. As soon as I remove it, the state mismatch comes > back on the external interface but there's no DB connection problem > anymore. > > What am I missing? > > Martin > I forgot to mention in the starting post what version I'm using: uname -a on the front-end web server: FreeBSD webserver 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri May 1 07:18:07 UTC 2009 root@driscoll.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 uname -a on the back-end MySQL server: FreeBSD mysql 7.0-RELEASE-p5 FreeBSD 7.0-RELEASE-p5 #1: Tue Oct 7 09:57:31 EDT 2008 root@martin.ringadmin.com:/usr/obj/usr/src/sys/OPTIK amd64 I read about the port reuse problem when I first experienced it with the DB server and I saw that this wasn't going to happen with the new release. I were happy to build I new 7.2-Rel server so that I wasn't going to face the same problem. But, in fact, I'm facing what looks like the same problem... I'm all ears to any pointers/suggestions! Thanks for your precious help. Martin From owner-freebsd-pf@FreeBSD.ORG Sat May 30 00:47:22 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5410C106564A for ; Sat, 30 May 2009 00:47:22 +0000 (UTC) (envelope-from max@laiers.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id F20928FC08 for ; Sat, 30 May 2009 00:47:21 +0000 (UTC) (envelope-from max@laiers.net) Received: from vampire.homelinux.org (dslb-088-066-007-165.pools.arcor-ip.net [88.66.7.165]) by mrelayeu.kundenserver.de (node=mreu1) with ESMTP (Nemesis) id 0MKv1o-1MACX43t9v-000jQX; Sat, 30 May 2009 02:34:45 +0200 Received: (qmail 68172 invoked by uid 80); 30 May 2009 00:34:40 -0000 Received: from 95.112.101.61 (SquirrelMail authenticated user mlaier) by mlaier.homeunix.org with HTTP; Sat, 30 May 2009 02:34:40 +0200 Message-ID: <52a241a292d8df1c0970d071267cb865.squirrel@mlaier.homeunix.org> In-Reply-To: <4A20001E.5000407@optiksecurite.com> References: <4A1EB5A0.7030206@optiksecurite.com> <4A20001E.5000407@optiksecurite.com> Date: Sat, 30 May 2009 02:34:40 +0200 From: "Max Laier" To: "Martin Turgeon" User-Agent: SquirrelMail/1.4.19 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Provags-ID: V01U2FsdGVkX1+PP9+qbQWxLzE1ah6TuAj9Tn2lHbc8TaLQZq/ kYvNIHPcH2+fbluFvFvTbrDNzmNvGb/vuR8QBcfyox5Cu/AHHs 3rhhuXOBvHxzgSjXun8UQ== Cc: freebsd-pf@freebsd.org Subject: Re: State Mismatch and tcp.closed X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 May 2009 00:47:22 -0000 Can you please post your ruleset. I suspect there is something wrong with it. By the way, I noticed that your are using a 127/8 addresse for your web server. Are you - by chance - running in a jail of kinds? In that case you might need "set skip on lo0" to avoid troubles. Depending on the kind of filtering you are doing this might be complicated, however. In any case, we'd need more details about your setup to help. Am Fr, 29.05.2009, 17:32, schrieb Martin Turgeon: > Martin Turgeon a écrit : >> Hi list! >> >> I had a problem with state mismatch on my DB server that I solved by >> lowering the tcp.closed timeout. I setted it to 2 instead of 90. >> >> I now have what looks like the same problem on the front-end web server. >> However, when I tried to apply the same fix, I got connection problem >> with the back-end DB, but the state mismatch disappearred. >> >> On the front-end web server, the state mismatch occurs on the external >> interface, only on port 80. >> >> I enabled misc debugging and got this in /var/log/messages on the >> front-end web server: >> >> May 28 05:02:19 francis kernel: pf: BAD state: TCP 127.0.0.25:80 >> 206.125.166.65:80 98.207.239.10:54737 [lo=820536733 high=820603340 >> win=65535 modulator=0 wscale=0] [lo=2871317100 high=2871375106 win=8326 >> modulator=0 wscale=3] 7:4 R seq=820536733 (820536732) ack=2871317100 >> len=0 ackskew=0 pkts=43:69 dir=in,fwd >> May 28 05:02:19 francis kernel: pf: State failure on: | >> May 28 05:02:19 francis kernel: pf: BAD state: TCP 127.0.0.25:80 >> 206.125.166.65:80 98.207.239.10:54733 [lo=374985971 high=375052578 >> win=65535 modulator=0 wscale=0] [lo=2999164748 high=2999229169 win=8326 >> modulator=0 wscale=3] 7:4 R seq=374985971 (374985970) ack=2999164748 >> len=0 ackskew=0 pkts=40:54 dir=in,fwd >> May 28 05:02:19 francis kernel: pf: State failure on: | >> May 28 05:03:06 francis kernel: pf: BAD state: TCP 127.0.0.20:80 >> 206.125.166.80:80 123.116.84.41:59776 [lo=3407758259 high=3407823796 >> win=4096 modulator=0 wscale=2] [lo=374200006 high=374216390 win=8192 >> modulator=0 wscale=3] 4:2 A seq=3407758259 (3407758260) ack=2320196160 >> len=0 ackskew=-1945996154 pkts=1:1 dir=in,fwd >> May 28 05:03:06 francis kernel: pf: State failure on: 3 | >> May 28 05:03:06 francis kernel: pf: BAD state: TCP 127.0.0.20:80 >> 206.125.166.80:80 123.116.84.41:59776 [lo=3407758259 high=3407823796 >> win=4096 modulator=0 wscale=2] [lo=374200006 high=374216390 win=8192 >> modulator=0 wscale=3] 4:2 RA seq=3407758259 (3407758260) ack=2320196160 >> len=0 ackskew=-1945996154 pkts=1:1 dir=in,fwd >> >> This server has been up for 12 days and already got almost 600000 state >> mismatch! >> >> I tried to lower tcp.finwait, no result. I tried to set optimization to >> aggressive, no result. I tried to disable port randomization via sysctl, >> no result either. >> >> I tcpdumped and there is only a few RST so I don't understand why >> tcp.closed would solve my problem. If it's a problem with source port >> reuse, tcp.finwait should be the timeout that would help, not >> tcp.closed, right? >> >> How can a lower tcp.closed on the front-end cause mysql connection >> problem with the back-end? I tcpdumped while there is a connection >> problem with the DB and there is nothing that seems wrong, no RST at >> all! The front-end web server tries to connect to the DB, wait 3 sec and >> if it fails to establish a connection, it then tries to connect to a >> read-only backup DB, on another server, which never fails to connect. >> >> The only thing I'm sure is that it's the tcp.closed that cause the DB >> connection problem. As soon as I remove it, the state mismatch comes >> back on the external interface but there's no DB connection problem >> anymore. >> >> What am I missing? >> >> Martin >> > > I forgot to mention in the starting post what version I'm using: > > uname -a on the front-end web server: > FreeBSD webserver 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri May 1 > 07:18:07 UTC 2009 > root@driscoll.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 > > uname -a on the back-end MySQL server: > FreeBSD mysql 7.0-RELEASE-p5 FreeBSD 7.0-RELEASE-p5 #1: Tue Oct 7 > 09:57:31 EDT 2008 root@martin.ringadmin.com:/usr/obj/usr/src/sys/OPTIK > amd64 > > I read about the port reuse problem when I first experienced it with the > DB server and I saw that this wasn't going to happen with the new > release. I were happy to build I new 7.2-Rel server so that I wasn't > going to face the same problem. > > But, in fact, I'm facing what looks like the same problem... > > I'm all ears to any pointers/suggestions! > > Thanks for your precious help. > > Martin > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > > !DSPAM:4a200026570535209328925! > > -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News